Insider Threat Insights

With high profile cases continuing to draw attention to the threat to networks posed by malicious insiders, military and other organizations are increasingly focused on finding ways to protect themselves from those who purposefully or inadvertently allow the release of sensitive information or cause damage to systems.

The approaches include both technology, in the form of monitoring, analysis and identification systems, and management, such as policies governing passwords or network access for former employees.

With a host of products and services emerging from industry aimed at helping agencies cope with the insider threat, Military Information Technology recently reached out to a number of industry executives for their perspectives on how the Department of Defense and other agencies can best address this issue. Following are brief accounts of their responses.

Deterrence and Response

For Brendan Callahan, vice president, National Security Division for MTSI, the answer lies in keyless signature infrastructure (KSI), a technology that provides a digital signature or electronic stamp for any binary data.

“If you have an insider who is maliciously tampering with or stealing data, and if you are using a scalable digital signature and signing every single piece of data in your objects store, you can instrument all of that data to learn if it is changing or is still intact,” Callahan explained. “If it’s changing, who is changing it? I can do attribution of change very quickly. If an audit log has been changed and I can detect that, which KSI enables you to do, I can look at my signed audit log and see who did it, and can extract the proof of that event in a very portable way. KSI is an extremely portable way of proving the integrity of data, at a rate that no other digital signature technology available today can support.”

Part of the benefit of the solution lies in deterrence. “If I am an insider and I’m sitting in an environment where I know that KSI has been infused into everything I’m touching, I will know that the system will detect adverse activity extremely quickly, that I will not be able to cover my tracks, and that I will be discovered before I get out of the building. If anyone lifts a finger to compromise the integrity of the enterprise, everyone will know about it very quickly,” he said.

That also speeds remediation by rapidly making actionable information available. “That’s what has prevented us from handling some of these insider threat cases. The people who are charged with taking action cannot get actionable information quickly enough, so long periods of time go by between the bad act and the response. KSI is a way to cut that down to minutes, and that’s deterrence,” Callahan said.

The Four A’s

The first thing to realize about the insider threat is that, arising as it does from within an organization, it should be solvable with an effective management strategy, said Paul Christman, vice president of public sector for Dell Software.

“The internal threat is different from the external threat, which is very challenging because it’s all external—you don’t know what the challenges are going to be. We look at the internal threat, however, as being entirely owned by the organization for agency. All of the resources, assets and concerns are inside the control of the organization. What we need to do is to say we own and control this problem, which in some cases we have made. So it is solvable by us. We don’t have to guess about what advanced persistent external threat is going to come along,” he said.

“You know who these people are and have granted them privileges, or otherwise they wouldn’t be insiders,” Christman continued. “We have created the rights and privileges that have created the threats, and it leads us to the solutions that we should be implementing.”

The solutions are based on the “four A’s”—authentication, authorization, automation and auditing, he explained. “The four A’s start the discussion about where the internal threat starts. Most people think of it as involving a rogue system administrator. But I would start with a different approach, because the basic idea of authentication and authorization includes simple things like ‘onboarding’ a new user and deprovisioning an exiting user.

“We did a survey that found that many agencies take weeks to deprovision a user. What you have created is an inadvertent internal threat, because the user has been told that they are no longer part of the organization, but their access persists after termination. That is a gigantic security hole that most people think is an administrative oversight. But it’s really a security risk created by the lack of automation,” Christman said.

To reduce risks involving system administrators, Dell is developing solutions that grant specific rights to do systems administration to a group of “super users.” There is a workflow that allows people to be routinely granted system access, but it is automated, tracked and auditable.

“Once the person has requested super user access, you are able to log what that person did. A lot of the internal threat problem is that there is no audit of super users. It’s a huge problem that we don’t audit or track, but we’re coming up with alternatives so that super users are granted authentication and authorization, but are never granted a password, so they are not able to reuse, divulge or compromise it. A lot of the threat comes from social engineering to have people give you their passwords. We’re overcoming that problem by never letting super users have passwords,” Christman said.

Involving Stakeholders

Michael Crouse, director of insider threat strategies at Raytheon Cyber Products, emphasized the need for an organizational perspective on the insider threat. “Getting stakeholders involved early in the process is something that is being used by all organizations, because it’s not just a counterintelligence problem. You want to get the legal department involved from a privacy perspective, or your inspector general involved from a fraud perspective, and your IT folks from their perspective. It’s evolving as additional stakeholders come into play knowing that the insider can do damage at many different levels, not just espionage. They can do fraud or sabotage or steal proprietary information, so there is awareness now of the need to get all your stakeholders involved.”

The next step is to select technology to meet your requirements, Crouse explained. “The technologies today are going beyond traditional information assurance tools, such as data loss prevention systems. Now you are seeing technologies bring context to the forefront, so you can determine the intent of an insider. You can see if the insider was actually malicious, trying to steal information on purpose, while another might just have made a mistake, was bending the rules to get a job done or didn’t know the policies in place. You need context and intent to determine the insider’s behavior.”

Raytheon favors a layered defense approach for the insider threat, just as for the external threat. “We’ve taken the same mentality and flipped it to protect the organization against the insider threat,” Crouse said. “We’re looking at combining our SureView product, which is an end-point monitoring system, with a product that is looking at the external threat, and integrating them together. Raytheon is taking its external tools and integrating with insider threat tools such as SureView to provide a dynamic layered approach.”

Analytics are also coming to the forefront. “SureView is a sensor collecting information based on policies, and it does a tremendous job in grabbing both metadata and context. But we’re also integrating best-of-breed third party analytics into SureView, so that you can really look at the metadata and find the needles in the haystack. We’re looking to be more proactive, and look at things that you couldn’t on a manual basis. But by automatically crunching through the data, you can pull out the needles and show them to the investigator, who can act appropriately,” he said.

Continuous Monitoring

At Tenable Network Security, the solution to the insider threat and other issues is continuous networking monitoring, with technologies for measuring vulnerabilities, watching network traffic and creating logs.

“We have two unique differentiators in this market,” said Ron Gula, the company’s chief executive officer and chief technical officer. “One is that we can prove we have 100 percent coverage of the network. Often, people deploy security technologies, which provide a lot of data. But they don’t realize that the data they have is coming from some percentage of their network. What about the rest? We have 100 percent coverage.

“Secondly, we have brought together all of this technology,” he continued. “When you look at something like incident response or insider threat, if you only had logs or user lists, you might find something. But if you had all of that in one spot, you can do a wide variety of analytics.

“There are certain behaviors that vendors say they find all of. But they’re lying, because there are so many different ways you can steal data. Our differentiator is that once you are looking for someone, you have all the evidence in one spot, so you can quickly determine if this is a wild goose chase or there is something going on,” Gula said.

“If you have certain technologies that are preventative in nature, such as passwords, firewalls or locked doors, it is one thing to worry about who tried to knock on that door,” he added. “You could spend a lot of time looking for that. But if you watch where the data is flowing on the network, that’s something else. Those are two different things—analyzing who is talking to each other, and what is being prevented and who is trying to get in. They are actually very similar, but often done by different teams. We want to bring those things together.

“Typically, the security people look for bad things, using antivirus software, intrusion detection, anomaly detection and other capabilities, while the auditors look at who are the authorized users, if the system is configured correctly, or if the system is even supposed to exist. Those two roles are done completely differently. Tenable is trying to unify them, and much of what the government is trying to do, with continuous monitoring and other efforts within DoD, is to make those two processes unified, because if you have those in one place, you can infer a great deal of things that you would have completely missed,” Gula said.

Log and Event Management

Chris LaPoint, vice president of product management at SolarWinds, pointed to a recent SolarWinds cybersecurity survey that showed that 41 percent of DoD respondents claimed data leakage or theft as their top cybersecurity threat. What was most notable, he said, was that 53 percent also named careless and untrained insiders as their top security threat sources.

“Given the very real concern of insider threats, and the military’s competing priorities and budget constraints, DoD IT professionals must consider new approaches, including the implementation of continuous network monitoring solutions that allow IT teams to collect data once and report to many,” LaPoint said, pointing to technologies such as log and event management systems, which automatically analyze network activity, and user device tracking software, which can automatically monitor switches, ports and network devices.

“Using these types of continuous monitoring tools, system administrators can create watch lists of potentially suspicious and unauthorized devices, receive alerts if one of these devices attempts to connect the network, and even take automated actions to mitigate.

According to our data, 67 percent of DoD IT professionals have implemented at least one continuous monitoring solution to address IT operations and information security domains. Of those who have implemented continuous monitoring, nearly half have measured the return on investment and report it is paying off nicely,” he reported.

Multiple Encryption Levels

For agencies to fend off insider threats, multiple levels of encryption that limit decryption of information to only those with proper authentication are essential, according to Robert R. Swindle, director of enterprise solutions for Tangible Security. Layered encryption allows agencies to restrict access to sensitive data only to authorized users, allowing for better protection across the operating system or database.

“Agencies will see improvements in the tracking of insider activities across disparate systems from technology that reduces ambiguity and simplifies computations. This will yield a more holistic account of their actions to identify misuse or malicious intent from authorized or unauthorized users,” Swindle said.

Trusted Access

Ten years into the implementation of HSPD-12 credentials for federal employees and contractors, technology and processes for authentication and access control remain a crucial element of strategies for managing insider threats, argued Ken Ammon, chief strategy officer at Xceedium.

“Over time, as with the introduction of DoD instruction 8520.03 in 2011, we’ve seen our approach to managing access for users of all kinds mature and become more sophisticated,” Ammon said. “At the same time, the environment being protected is also growing more complex, with the rapid uptake of virtualized and cloud computing technologies. These technologies not only increase the scale of the environment, but also introduce new attack surfaces to protect.

“Add in growing compliance mandates, and security and compliance teams are faced with a substantial hurdle to overcome,” he continued. “But when we look at the tools we use to manage insider access, particularly privileged users, we find they’re not well prepared for the task. All too often, these management tools are point solutions, delivering unintegrated views of activity and inconsistent enforcement of policy. That’s inefficient and costly, and just isn’t working to prevent critical breaches that fundamentally impact operations and missions.”

There are two key requirements for managing trusted insider access, Ammon said. “First, successfully addressing these risks requires an integrated privileged identity management solution that supports the consistent application of policy across what today are often standalone functions, such as password and credential management, access control, monitoring and recording. Second, that suite of capabilities has to be available across the whole of the hybrid cloud, including traditional data centers, virtual infrastructure, and public/private clouds. It’s only by addressing both these requirements will DoD truly be well equipped to manage these risks.” ♦